How restore inline hooks?
I'm needing restore one inline hook in a app made by a third party program.
I alredy know that firstly is need to load the target module for reading and calculate the offset to the target API:
So, now that i know the offset to the function, how i can use that to calculate and read the original function data directly from the file loaded to get the original data and then restore it to the loaded module data?Code:// Get the module handle and function address.. auto modGdi32 = GetModuleHandle("GDI32.dll"); auto funcBitBlt = GetProcAddress(modGdi32, "BitBlt"); // Calculate the function offset.. auto offBitBlt = (uintptr_t)funcBitBlt - (uintptr_t)modGdi32;
Eg:
if any third party software make something like this in my app:
Then, how revert any inline hook, independent how was coded, like is made by PC Hunter software:Code:DWORD NtHookInstall(LPVOID lpTargetAddress,LPVOID lpCallbackAddress) { if(lpTargetAddress == 0 || lpCallbackAddress == 0) return 0; DWORD dwOldProtection = 0; if(VirtualProtect(lpTargetAddress,7,PAGE_EXECUTE_READWRITE,&dwOldProtection) == 0) return 0; *(BYTE*)(lpTargetAddress)= 0xE9; *(long*)((LPBYTE)lpTargetAddress+1) = ((DWORD)lpCallbackAddress - ((DWORD)lpTargetAddress + 5)); VirtualProtect(lpTargetAddress,7,dwOldProtection,&dwOldProtection); return 1; } void Callback() { SetLastError(5); } // Usage: NtHookInstall(GetProcAddress(GetModuleHandleW(L"ntdll.dll"),"ZwOpenProcess"), (LPVOID) Callback);
Any suggestion or help will welcome.
Reply With Quote
